Recon

1. 1- Not a lot of github sensitive exposures, since i already made full video for that in BC university.
2.  
3. 2- I spoke about creating specific wordlist for each target, depending on the patterns i notice in each target
4. wordlist will be initially with 3-5 files paths for each known technology,then i add to it robots dissallowed for the target company, thats the baseline, i add the subdomains to list (yes it happens with some companies http://whatever.corp.example.com/whatever/) and MOST important part is gathering paths & endpoints from github for the company, path might be for an internal host, but its also there on production ones, you cant just depend on seclists and known wordlists for that.
5.  
6. 3- gathering subdomains form github for each target , the 1M list is good but not enough, from github you get to see other subdomains like as ex for kubernetes : k8s-prd k8s depending on the company ..etc
7.  
8. you can use this https://github.com/gwen001/github-search for points 2-3.
9.  
10. 4- this is nice and updated if you know how to clean the lists and use it with yours https://github.com/milo2012/pathbrute (defaultPaths.txt,cvePaths.txt,packetstormPaths.txt,webappPaths.txt)
11.  
12. 5- The new beta shodan is very nice, examples"
13. it can help gathering subs easily https://beta.shodan.io/domain/paypal.com
14. easy sorting https://beta.shodan.io/search/facet?query=ssl%3Aoath+port%3A%22443%22&facet=org
15.  
16. 6- when i have time to hunt for a month i subscribe for a month with shodan small business plan (299$) which gives you :
17.  
18. Features
19. Up to 20 million results per month *
20. Scan up to 65,536 IPs per month
21. Network Monitoring for 65,536 IPs
22. Access to most filters
23. Allows paging through results
24. Basic access to the Streaming API
25. Commercial Use
26. E-Mail support
27. Vulnerability search filter
28. there API is amazing
29.  
30. 7- I Use this to manage my projects, its underrated i highly recommend trying it, its free and amazing https://github.com/intrigueio/intrigue-core
31.  
32. 8- I keep monitoring changes on all subs i gathered.
33.  
34. 9- I tend to be selective and more focused on what others ignore (302,403,401) and i always find endpoints reachable, and got 3-4 critical bugs based on that when (302,401,401) bypassed, mainly endpoints that gathered from github.
35.  
36. 10- Its good to make honeypots with technologies like ruby, weblogic, ..etc , there is a lot of CVE'S but not a lot of public exploits, some people keep their exploits for themselves, and they might use them on your honeypots.